CVE-2024-43248 - Vulnerability Details - OpenCVE

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Bit Apps Bit Form Pro allows File Manipulation.This issue affects Bit Form Pro: from n/a through 2.6.4.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

Vendors	Products
Bitapps	Bit Form Bit Form Pro

Configuration 1 [-]

cpe:2.3:a:bitapps:bit_form:*:*:*:*:pro:wordpress:*:*

No data.

References

Link	Providers
https://patchstack.com/database/vulnerability/bitformpro/wordpress-bit-form-pro-plugin-2-6-4-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve

History

Fri, 06 Sep 2024 17:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bitapps bit Form
CPEs		cpe:2.3:a:bitapps:bit_form:::::pro:wordpress::
Vendors & Products		Bitapps bit Form

Mon, 19 Aug 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bitapps Bitapps bit Form Pro
CPEs		cpe:2.3:a:bitapps:bit_form_pro::::::::
Vendors & Products		Bitapps Bitapps bit Form Pro
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 19 Aug 2024 17:30:00 +0000

Type	Values Removed	Values Added
Description		Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Bit Apps Bit Form Pro allows File Manipulation.This issue affects Bit Form Pro: from n/a through 2.6.4.
Title		WordPress Bit Form Pro plugin <= 2.6.4 - Unauthenticated Arbitrary File Deletion vulnerability
Weaknesses		CWE-22
References		https://patchstack.com/database/vulnerability/bitformpro/wordpress-bit-form-pro-plugin-2-6-4-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H'}`

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2024-08-19T17:17:17.244Z

Updated: 2024-08-19T18:03:04.307Z

Reserved: 2024-08-09T09:20:34.296Z

Link: CVE-2024-43248

Vulnrichment

Updated: 2024-08-19T18:02:25.165Z

NVD

Status : Analyzed

Published: 2024-08-19T18:15:11.030

Modified: 2024-09-06T16:32:16.687

Link: CVE-2024-43248

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-43248", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2024-08-09T09:20:34.296Z", "datePublished": "2024-08-19T17:17:17.244Z", "dateUpdated": "2024-08-19T18:03:04.307Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Bit Form Pro", "vendor": "Bit Apps", "versions": [{"lessThanOrEqual": "2.6.4", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Dave Jong (Patchstack)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Bit Apps Bit Form Pro allows File Manipulation.<p>This issue affects Bit Form Pro: from n/a through 2.6.4.</p>"}], "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Bit Apps Bit Form Pro allows File Manipulation.This issue affects Bit Form Pro: from n/a through 2.6.4."}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2024-08-19T17:17:28.975Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/vulnerability/bitformpro/wordpress-bit-form-pro-plugin-2-6-4-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "source": {"discovery": "EXTERNAL"}, "title": "WordPress Bit Form Pro plugin <= 2.6.4 - Unauthenticated Arbitrary File Deletion vulnerability", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "bitapps", "product": "bit_form_pro", "cpes": ["cpe:2.3:a:bitapps:bit_form_pro:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.6.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-19T18:01:10.787044Z", "id": "CVE-2024-43248", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T18:03:04.307Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-43248", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-08-19T18:01:10.787044Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:bitapps:bit_form_pro:*:*:*:*:*:*:*:*"], "vendor": "bitapps", "product": "bit_form_pro", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "2.6.4"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-19T18:02:25.165Z"}}], "cna": {"title": "WordPress Bit Form Pro plugin <= 2.6.4 - Unauthenticated Arbitrary File Deletion vulnerability", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Dave Jong (Patchstack)"}], "impacts": [{"capecId": "CAPEC-165", "descriptions": [{"lang": "en", "value": "CAPEC-165 File Manipulation"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Bit Apps", "product": "Bit Form Pro", "versions": [{"status": "affected", "version": "n/a", "versionType": "custom", "lessThanOrEqual": "2.6.4"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://patchstack.com/database/vulnerability/bitformpro/wordpress-bit-form-pro-plugin-2-6-4-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Bit Apps Bit Form Pro allows File Manipulation.This issue affects Bit Form Pro: from n/a through 2.6.4.", "supportingMedia": [{"type": "text/html", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Bit Apps Bit Form Pro allows File Manipulation.<p>This issue affects Bit Form Pro: from n/a through 2.6.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2024-08-19T17:17:28.975Z"}}}, "cveMetadata": {"cveId": "CVE-2024-43248", "state": "PUBLISHED", "dateUpdated": "2024-08-19T18:03:04.307Z", "dateReserved": "2024-08-09T09:20:34.296Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2024-08-19T17:17:17.244Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bitapps:bit_form:*:*:*:*:pro:wordpress:*:*", "matchCriteriaId": "C8FA22BD-69F8-4726-B4F6-F3826BEFD28F", "versionEndIncluding": "2.6.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Bit Apps Bit Form Pro allows File Manipulation.This issue affects Bit Form Pro: from n/a through 2.6.4."}, {"lang": "es", "value": "Limitaci\u00f3n inadecuada de un nombre de ruta a una vulnerabilidad de directorio restringido (\"Path Traversal\") en Bit Apps Bit Form Pro permite la manipulaci\u00f3n de archivos. Este problema afecta a Bit Form Pro: desde n/a hasta 2.6.4."}], "id": "CVE-2024-43248", "lastModified": "2024-09-06T16:32:16.687", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2024-08-19T18:15:11.030", "references": [{"source": "audit@patchstack.com", "tags": ["Third Party Advisory"], "url": "https://patchstack.com/database/vulnerability/bitformpro/wordpress-bit-form-pro-plugin-2-6-4-unauthenticated-arbitrary-file-deletion-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "audit@patchstack.com", "type": "Primary"}]}